From 656b7b3432def3c092c05ba053f72e504d8c954a Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Tue, 13 Jan 2026 15:28:53 +0100
Subject: [PATCH] update actions-toolkit to 0.73.0

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/bake.yml   | 16 +++++++---------
 .github/workflows/build.yml  | 16 +++++++---------
 .github/workflows/verify.yml |  2 +-
 3 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
index bd62d30..f0a0c23 100644
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -141,7 +141,7 @@ env:
   BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
   SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
   BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.0.4-56"
-  DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
+  DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.73.0"
   COSIGN_VERSION: "v3.0.2"
   LOCAL_EXPORT_DIR: "/tmp/buildx-output"
   MATRIX_SIZE_LIMIT: "20"
@@ -690,10 +690,9 @@ jobs:
               imageDigest: inpImageDigest
             });
             
-            const verifyResults = await sigstore.verifySignedManifests(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$` },
-              signResults
-            );
+            const verifyResults = await sigstore.verifySignedManifests(signResults, {
+              certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$`
+            });
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
@@ -722,10 +721,9 @@ jobs:
               localExportDir: inplocalExportDir
             });
             
-            const verifyResults = await sigstore.verifySignedArtifacts(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$` },
-              signResults
-            );
+            const verifyResults = await sigstore.verifySignedArtifacts(signResults, {
+              certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/bake.yml.*$`
+            });
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2445bb0..efd2524 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -148,7 +148,7 @@ env:
   BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
   SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
   BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.0.4-56"
-  DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
+  DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.73.0"
   COSIGN_VERSION: "v3.0.2"
   LOCAL_EXPORT_DIR: "/tmp/buildx-output"
   MATRIX_SIZE_LIMIT: "20"
@@ -592,10 +592,9 @@ jobs:
               imageDigest: inpImageDigest
             });
             
-            const verifyResults = await sigstore.verifySignedManifests(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
-              signResults
-            );
+            const verifyResults = await sigstore.verifySignedManifests(signResults, {
+              certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$`
+            });
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
@@ -624,10 +623,9 @@ jobs:
               localExportDir: inplocalExportDir
             });
             
-            const verifyResults = await sigstore.verifySignedArtifacts(
-              { certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$` },
-              signResults
-            );
+            const verifyResults = await sigstore.verifySignedArtifacts(signResults, {
+              certificateIdentityRegexp: `^https://github.com/docker/github-builder-experimental/.github/workflows/build.yml.*$`
+            });
             
             await core.group(`Verify commands`, async () => {
               const verifyCommands = [];
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 186713c..8b01453 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -13,7 +13,7 @@ on:
         required: false
 
 env:
-  DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
+  DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.73.0"
 
 jobs:
   verify: